Well whatever it is, it is obviously only interested in the web server itself and not individual websites; this is evident by the HTTP/1.0 header, which will always reference the default documents on the system, and not a virtual host. I've been grepping through some scanners lately and haven't been able to find 'sumthin' in any of them; so far checked nmap, webvulnscan, nikto, and a few others. The HTTP/1.0 tells me though that this tool is designed to do what everyone has already come to for a conclusion; check server version/module inforamtion. > -----Original Message----- > From: Sverre H. Huseby [mailto:shhat_private] > Sent: Tuesday, January 07, 2003 4:32 PM > To: Chris Norris > Cc: incidentsat_private; Noam Eppel > Subject: Re: /sumthin Revisited > > > [Chris Norris] > > | Maybe it's a port 80 scanner that captures banner info. Issuing > | GET /sumthin would 99.99% produce a 404 and some server info which > | could be added to a database. > > Yes, but you could just as well have obtained the info using > "HEAD /", which wouldn't show up in the error_log. > > The "GET /sumthin" is the fingerprint of something. A worm, > a scanner or something (sumthin) completely harmless. I > think Noam's goal is to find out what this fingerprint > matches. And I'm quite curious myself, as I see it coming > from many different IP addresses, and only for my > SSL/TLS-enabled domain. > > > Sverre. > > -- > shhat_private Computer Geek? Try my Nerd Quiz > http://shh.thathost.com/ http://nerdquiz.thathost.com/ > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 15:33:34 PST